A cloud provider sets up a KVM host in an LPAR for IBM Secure Execution.
About this task
The KVM host must opt in to IBM Secure Execution, that is,
to use the Ultravisor. Use the prot_virt kernel parameter to opt in for IBM Secure Execution on the host.
Procedure
Modify a Linux instance to be able to act as an IBM Secure Execution host.
Modify the boot configuration.
For example, if you use
zipl, add the parameter prot_virt to the parameters in the
zipl.conf file and save.
For example:
# vi zipl.conf
...
parameters=" ...prot_virt=1"
...
Run
zipl. For more information about zipl, see the Device Drivers, Features, and
Commands or the man page.
From the HMC, IPL the device, which then boots the secure KVM
host.
The KVM host then donates some memory to the ultravisor. The
ultravisor uses the memory to store the security context for memory in the LPAR. Because of
this memory donation, the KVM host sees slightly less memory than what is available in the LPAR. The
resulting setup is shown in Figure 1.
Figure 1. A KVM host is set up to run in IBM Secure Execution mode
Verify that the opt-in was successful.
Check the output of the
dmesg command. The command must show that memory was reserved for the
ultravisor.
For
example:
[ 1.010810] Reserving 322MB as ultravisor base storage
The exact amount
varies with the size of the LPAR.
Tip: In a trusted environment, if your distribution
supports it, you can read sysfs attributes as indicators of IBM Secure Execution mode:
sys/firmware/uv/prot_virt_host. The KVM host runs in IBM Secure Execution
mode if the value is 1.
sys/firmware/uv/prot_virt_guest. The KVM guest runs in IBM Secure Execution
mode if the value is 1.
Note that this does not constitute full proof that the host or guest is secure.
